Closed Bug 909188 Opened 11 years ago Closed 11 years ago

Allowing non-image in <img src> tag

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED INVALID

People

(Reporter: KirbyFCF2, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0 (Beta/Release)
Build ID: 20130511120803

Steps to reproduce:

A person posted a message to a forum (the message has since been removed so I can't link to it).  The message contained the following html:

 <img src="http://forums.thedailywtf.com/logout.aspx">



Actual results:

Any time someone went to the page containing that message, the code in "logout.aspx" was executed and the person was logged out of the forum.


Expected results:

The <img src> tag does not contain a valid image and should be ignored.  Or something.  Firefox certainly shouldn't be executing code in an image tag.  What if the code contained something more malicious that just logging off?
Component: Untriaged → HTML: Parser
Product: Firefox → Core
We can't know if it's an image before loading the URL.
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Component: HTML: Parser → DOM: Core & HTML
OS: Windows 7 → All
Hardware: x86_64 → All
Resolution: --- → INVALID
Version: 21 Branch → Trunk
Indeed.  The fact that the forum uses a GET for logout is just daft.  :(  And there's no way we can protect against it on our end, as Ms2ger points out.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.